.

2025-04-26 12:24:32 +00:00 · 2013-07-25 16:44:12 -04:00 · 2013-07-25 16:44:12 -04:00 · 83c258e202
commit 83c258e202
parent beb0e72a6a
2 changed files with 82 additions and 4 deletions
--- a/parser-library/nt-headers.h
+++ b/parser-library/nt-headers.h
@ -2,11 +2,13 @@
 #define _NT_HEADERS
 #include <boost/cstdint.hpp>

-//need an offsetof macro
+#define _offset(t, f) ((boost::uint32_t)(ptrdiff_t)&(((t*)0)->f))

 //need to pack these structure definitions

 //some constant definitions
+const boost::uint16_t MZ_MAGIC = 0x5A4D;
+const boost::uint16_t NUM_DIR_ENTRIES = 16;

 struct dos_header {
    boost::uint16_t   e_magic;           
@ -40,4 +42,49 @@ struct file_header {
    boost::uint16_t   Characteristics;
 };

+struct data_directory {
+  boost::uint32_t VirtualAddress;
+  boost::uint32_t Size;
+};
+
+struct optional_header_32 {
+  boost::uint16_t   Magic;
+  boost::uint8_t    MajorLinkerVersion;
+  boost::uint8_t    MinorLinkerVersion;
+  boost::uint32_t   SizeOfCode;
+  boost::uint32_t   SizeOfInitializedData;
+  boost::uint32_t   SizeOfUninitializedData;
+  boost::uint32_t   AddressOfEntryPoint;
+  boost::uint32_t   BaseOfCode;
+  boost::uint32_t   BaseOfData;
+  boost::uint32_t   ImageBase;
+  boost::uint32_t   SectionAlignment;
+  boost::uint32_t   FileAlignment;
+  boost::uint16_t   MajorOperatingSystemVersion;
+  boost::uint16_t   MinorOperatingSystemVersion;
+  boost::uint16_t   MajorImageVersion;
+  boost::uint16_t   MinorImageVersion;
+  boost::uint16_t   MajorSubsystemVersion;
+  boost::uint16_t   MinorSubsystemVersion;
+  boost::uint32_t   Win32VersionValue;
+  boost::uint32_t   SizeOfImage;
+  boost::uint32_t   SizeOfHeaders;
+  boost::uint32_t   CheckSum;
+  boost::uint16_t   Subsystem;
+  boost::uint16_t   DllCharacteristics;
+  boost::uint32_t   SizeOfStackReserve;
+  boost::uint32_t   SizeOfStackCommit;
+  boost::uint32_t   SizeOfHeapReserve;
+  boost::uint32_t   SizeOfHeapCommit;
+  boost::uint32_t   LoaderFlags;
+  boost::uint32_t   NumberOfRvaAndSizes;
+  data_directory    DataDirectory[NUM_DIR_ENTRIES];
+};
+
+struct nt_header_32 {
+  boost::uint32_t     Signature;
+  file_header         FileHeader;
+  optional_header_32  OptionalHeader;
+};
+
 #endif
--- a/parser-library/parse.cpp
+++ b/parser-library/parse.cpp
@ -26,10 +26,37 @@ list<section> getSections(bounded_buffer *file) {
  return sections;
 }

-pe_header getHeader(bounded_buffer *file) {
+bool readNtHeader(bounded_buffer *b, nt_header_32 &header) {
+
+  return false;
+}
+
+bool getHeader(bounded_buffer *file) {
  pe_header p;

-  return p;
+  //start by reading MZ
+  ::uint16_t  tmp = 0;
+  ::uint32_t  curOffset = 0;
+  readWord(file, curOffset, tmp);
+  if(tmp != MZ_MAGIC) {
+    return false;
+  }
+
+  //read the offset to the NT headers
+  ::uint32_t  offset;
+  curOffset = _offset(dos_header, e_lfanew)+curOffset;
+  if(readDword(file, curOffset, offset) == false) {
+    return false;
+  }
+  curOffset += offset; 
+
+  //now, we can read out the fields of the NT headers
+  nt_header_32 nthdr;
+  if(readNtHeader(splitBuffer(file, curOffset, file->bufLen), nthdr) == false) {
+    return false;
+  }
+
+  return true;
 }

 parsed_pe *ParsePEFromFile(const char *filePath) {
@ -59,7 +86,11 @@ parsed_pe *ParsePEFromFile(const char *filePath) {
  //now, we need to do some actual PE parsing and file carving.

  //get header information
-  p->peHeader = getHeader(p->fileBuffer);
+  if(getHeader(p->fileBuffer) == false) {
+    deleteBuffer(p->fileBuffer);
+    delete p;
+    return NULL;
+  }

  //get the raw data of each section
  p->internal->secs = getSections(p->fileBuffer);